And, at some point, I'll engage in two closely related activities:
connecting my laptop to the DEFCON WLAN (wireless local-area network)
to check e-mail, hoping fervently that I won't do anything dumb enough
to expose my passwords or other personal information to the thousands
of other mischievous punks connected to the DEFCON WLAN, and I'll have
a nervous chuckle or two at the Wall of Sheep, a real-time list of WLAN
users who have done something dumb enough to expose their passwords and
other personal information to the thousands of mischievous punks on the
DEFCON WLAN.

There isn't necessarily that much shame in ending up on the Wall of Sheep.
Several years ago it happened to none other than world-renowned security
expert Winn Schwartau. I should mention that Winn was a very good sport
about it, too—no identity theft, no foul, as they say.

But, that doesn't mean I'm quite ready to put my own reputation on the
line without a fight. You can bet that before I board the plane for Las
Vegas, I'm going to lock my laptop down, and when I'm
there, I'm
going to take care of myself like I was back home in the hood, on the
wrong side of the tracks, after dark, with a pork chop hung around my
neck. Nobody's going to pwn Mick at DEFCON this year without busting
out some supernatural kung fu.
(I hope.)

So what, you may ask, does any of this have to do with those of you who never
go to DEFCON and generally stick to your friendly local coffee shop
wireless hotspots and neighborhood cable-modem LAN segment? Actually,
I think that question pretty much answers itself, but I'll spell it
out for you: the tips and techniques I use to navigate the DEFCON WLAN
safely with my trusty Linux laptop should amply suffice to protect
you on whatever public, semiprivate or spectacularly hostile
networks to which you may find yourself having to connect.

This month's column is about ruthlessly practical Linux desktop
security—what to do to harden your system proactively and, even more
important, what to avoid doing in order to keep it out of harm's way.

Overview and Generalities

Here's a summary of what I'm about to impart:

Keep fully patched.

Turn off all unnecessary network listeners or uninstall them altogether.

Harden your Web browser.

Never do anything important in clear text. Actually, do
nothing
in clear text.

Use VPN software for optimal imperviousness.

Pay attention to SSL certificate errors.

Be careful with Webmail and surf carefully in general.

Make backups before you travel.

Some of those things should be extremely familiar to my regular readers,
or simple common sense, or both. Patching, for example, is both critically
important and blazingly obviously so. Most network attacks begin with
a vulnerable piece of software. Minimizing the number of known bugs
running on your system is arguably the single-most important thing you
can do to secure it.

I'll leave it to you to use the auto-update tools on your Linux
distribution of choice, and the same goes for making backups, an equally obvious
(though important) piece of advice.

At least equally important is minimizing the number of software
applications that accept network connections. If a given application
either is turned off or has been uninstalled, it generally doesn't
matter whether it's vulnerable or not. (Unless, of course, an attacker
can enable a vulnerable application for purposes of privilege escalation,
which is one reason you should not only disable but also remove unnecessary
applications.) I cover service disabling in depth later in this article.

So far, so obvious. But, what about antivirus software? As a matter of
fact, and by the way I'm waiting for someone to convince me otherwise
on this, viruses and worms are not a threat I take very seriously on
Linux. In all my years using and experimenting with Linux, including
in university lab settings and in my own Internet-facing DMZ networks,
I never have had a single malware infection on any Linux system I ran
or administered.

Is this because there are no Linux worms or viruses, or because Mick
is so fabulously elite? No, on both counts. Rather, it's because I've
never been lazy about keeping current with patches, and because I've
always very stubbornly used plain text for all my e-mail.

I've also been lucky in this regard because there are few Linux worms
and viruses in the wild to begin with. But, even if there were more, I
would repeat, keeping current with patching and using e-mail carefully
is more important than running antivirus software.

Great read this month. I really like that you address an issue for very insecure networks but relate it to everyday use. I was motivated afterward to check the security of my NFS/SVN server as well. When I did a netstat --inet -al, I saw lost of things I wasn't expecting. Maybe you could cover security of the "small home" server one of these next months (or is there something I missed in the past?).
Also, you mentioned using IMAPS, POP3S, etc... IMAP with the SSL option (say in Thunderbird) is just that, right?
As a closing comment, I appreciate that you also included info on the Firefox Add-ons like Ghostery, I'll be checking those out soon. But what about TOR? Does The Onion Router offer any security? Does it compromise security since you're asking others to handle your packets? What about if VPN isn't an option? I know I've used it in the past to get past domain name filtering on networks (all forums and blogs were blocked at my work once, including the ones on PHP I needed access to).
Thanks again for a good read, just when I was thinking I might not renew my subscription, you convinced me otherwise.
Winfree

The thing about life is, no one gets out alive. Enjoy it while you can!

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.